mace-opensaml-users - RE: [OpenSAML] Testing SAML relying party browser post profile
Subject: OpenSAML user discussion
List archive
- From: "Pantvaidya, Vishwajit" <>
- To: "" <>
- Subject: RE: [OpenSAML] Testing SAML relying party browser post profile
- Date: Mon, 10 Nov 2008 18:53:18 -0800
- Accept-language: en-US
- Acceptlanguage: en-US
> [Pantvaidya, Vishwajit] Just to understand this, why not just
encrypt with the public key? Does this provide any additional level of security
(though I cannot imagine how). One reason is performance. The asymmetric ciphers (e.g. RSA) tend to
be about 1000 to 10,000 times slower than symmetric ciphers of comparable strength (i.e. 3 or 4 orders of magnitude). That's a big hit. So the idea is to encrypt a small amount of data (a symmetric key) with the public key to lessen that hit. And another is pragmatic: Because of the above, I believe that XML Encryption does not even define algorithm URI's for say RSA for bulk data encryption. You'd have to define cipher modes and so on, if you want to encrypt data larger than the maximum encryptable block size for the algorithm. For RSA, that max block size is a little less than the modulus size, e.g. for a 2048 bit RSA key, you can encrypt slightly
less than 2k of data. That's more than enough for encrypting a symmetric
key (e.g. AES 256 bit), but not nearly enough for say a medium to large sized SAML Assertion... [Pantvaidya, Vishwajit] Brent, thanks a
lot for the insight. You mentioned earlier that secret keys are also used to
sign SAML responses. Is that also done in a similar way i.e. use a randomly
generated secret key to sign and then encrypt the secret key using a public
key? |
- Re: [OpenSAML] Testing SAML relying party browser post profile, Pantvaidya, Vishwajit, 11/07/2008
- Re: [OpenSAML] Testing SAML relying party browser post profile, Brent Putman, 11/07/2008
- <Possible follow-up(s)>
- Re: [OpenSAML] Testing SAML relying party browser post profile, Pantvaidya, Vishwajit, 11/07/2008
- RE: [OpenSAML] Testing SAML relying party browser post profile, Pantvaidya, Vishwajit, 11/10/2008
- Re: [OpenSAML] Testing SAML relying party browser post profile, Brent Putman, 11/10/2008
- RE: [OpenSAML] Testing SAML relying party browser post profile, Pantvaidya, Vishwajit, 11/10/2008
- RE: [OpenSAML] Testing SAML relying party browser post profile, Scott Cantor, 11/10/2008
- Re: [OpenSAML] Testing SAML relying party browser post profile, Brent Putman, 11/10/2008
- RE: [OpenSAML] Testing SAML relying party browser post profile, Pantvaidya, Vishwajit, 11/10/2008
- Re: [OpenSAML] Testing SAML relying party browser post profile, Brent Putman, 11/10/2008
- RE: [OpenSAML] Testing SAML relying party browser post profile, Pantvaidya, Vishwajit, 11/10/2008
- RE: [OpenSAML] Testing SAML relying party browser post profile, Pantvaidya, Vishwajit, 11/10/2008
- Re: [OpenSAML] Testing SAML relying party browser post profile, Brent Putman, 11/10/2008
- RE: [OpenSAML] Testing SAML relying party browser post profile, Pantvaidya, Vishwajit, 11/10/2008
Archive powered by MHonArc 2.6.16.